The European Commission has launched a consultation on the best way to reform network and information security. Proposals for consideration include the introduction of legal obligations to adopt appropriate risk management practices and security breach notification requirements.

Background

In June 2012 the World Economic Forum produced a report on cyber security and resilience emphasising how complex and numerous cyber threats have become in the digital age. The report, (see Related links) highlights that such threats have a wide range of potential impacts on both businesses and nation states, including denial of service, data exposure, disinformation, reputational damage and loss of trust. The report also considers the economic benefits of cyber resilience, including stabilising markets and enabling innovation. In turn this helps to increase the attractiveness of a market to investors who are concerned to secure their assets, including important intellectual property.

The European Commission notes the disturbing frequency of cyber attacks, which increased by over 36% in 2011 alone, and has begun the cyber security consultation with the aims of enhancing preparedness, strengthening the resilience of critical infrastructure and fostering a cyber security culture in the EU.

Proposals under consideration

The European Commission is canvassing views on the best way to enhance cyber security. The three main strategies for consideration are as follows:

  • Continue with the existing regime, under which Member States and organisations co-operate voluntarily;
  • Continue with a voluntary regime but with a set of minimum standards with which organisations will be expected to comply;
  • Put in place new legal requirements to adopt risk management practices and report security breaches affecting critical networks and systems should be introduced.

The types of environments that the European Commission has identified as 'critical' for these purposes are 'networks and information systems that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking).'

It is interesting to note that any cyber security breach notification requirements will overlap with the EU's proposals for a new data protection regulation, which includes proposals for data security breaches to be notified to data protection regulators.

Responding to the consultation

The consultation is intended to conclude in early October, at which point the Commission is expected to begin the process of drawing up an approach to future risk management requirements. If you would like to respond to the consultation, you can provide your input by submitting the form found at the European Commission website (see Related links).